Where do you stand in the debate over whether governments should stockpile vulnerabilities? Some believe that regardless of its utility, the practice of keeping software vulnerabilities secret affects all users and they should be disclosed no matter the circumstances. On the other side of the argument are those who believe zero-days are a matter of national security and that if a vulnerability gives us an edge in warfare or intelligence gathering, it should be kept secret.
And then there's a third group, to which I belong. This crowd understands both the benefits and consequences that can occur when governments find and conceal vulnerabilities. Ultimately, this group believes we need to take an approach that's less binary and more circumstantial, factoring in both the pros and cons of the practice and how they change based on the situation and conditions at hand.
Did you know the US government has a process in place to do exactly that? It's called the Vulnerabilities Equity Process (VEP), defined as "a process used by the U.S. federal government to determine on a case-by-case basis how it should treat zero-day computer security vulnerabilities, whether to disclose them to the public to help improve general computer security, or to keep them secret for offensive use against the government's adversaries." The VEP was developed in the late 2000s in response to a public outcry against the stockpiling of zero-day vulnerabilities. It was initially kept secret until the Electronic Frontier Foundation received redacted documentation through a Freedom of Information Act (FOIA) request in 2016. After the disclosure of the ShadowBrokers in mid-2017, the White House released an updated version of the VEP to the public in an attempt to improve transparency around the process. Let's explore how it works.
Today's VEP Process
The process is run with the authority of the White House and is led by both a representative from the National Security Agency (NSA), under the direction of the secretary of defense, as the executive secretariat, and the president's cybersecurity coordinator as the director. Other participants include representatives from 10 government agencies that comprise the Equities Review Board.
The process dictates an exchange between organizations that discover these vulnerabilities, the secretariat and the members of the Equities Review Board. During this exchange, vulnerabilities are disclosed to the group so each member can claim equity (for example, explaining "Here's how this vulnerability affects me"). This claim kicks off a round of discussion between the reporter and equity claimants to determine whether or not to recommend disclosing or restricting the vulnerability. The final decision to accept the recommendation or come up with alternatives is made by consensus of the Equities Review Board. Once a disclosure decision is made, the dissemination happens within seven days. Once you add up the time frames, the entire end-to-end process from discovery to dissemination can take anywhere from a week to one month, which is fast for a US government process.
The VEP also requires an annual report that includes statistical data on the process and its outcomes throughout the year. The report requires an unclassified executive summary at a minimum. The first reporting period closed on September 30, 2018, so we should expect an annual report soon.
Gaps and Exceptions
This process is by no means perfect. Between accommodations for the timetable, varying nondisclosure action options, and the complex back-and-forth between organizations, there is potential for our government to simply maintain the old status quo and fall short of the level of transparency for which the VEP was intended to deliver. A recent report outlined a solid list of issues associated with the process (you can read the original article here), which includes the following factors:
- NDAs and other agreements. The VEP is subject to legal restrictions against disclosing things such as nondisclosure agreements, memoranda of understanding, and other agreements between foreign or private sector partners. This opens up the possibility for both partners to hide behind these agreements in order to prevent disclosure.
- Lack of Risk Rating. The industry rates vulnerabilities by severity based on many factors. The VEP does not mandate any such rating. The absence of this kind of categorization or ranking process could result in false statistics at the end of the year. For example, the VEP could publicly state that it disclosed 100 vulnerabilities this year, but without context those could all be low-risk threats that have very little impact to the private sector.
- NSA Leadership. Considering the fact that the NSA is likely the greatest equity holder, as well as the most experienced in dealing with vulnerabilities, it comes as no surprise that a representative from the NSA was chosen as the secretariat. This position allows the largest equity holder the most power in this process.
- Alternative to Disclosure. While public disclosure is the default, other options include: disclosing mitigation information but not the vulnerability itself, limited use by our government, disclosing to US allies at a classified level, and indirect disclosure to the vendor. Many of these options keep the vulnerability a secret, negating the benefit that disclosure would bring.
Lack of Transparency
In addition to this list, there doesn't seem to be any private sector oversight built into the process. One of the issues I always find when arguing about zero-days is trust. The individual who believes vulnerabilities should always be disclosed for the betterment of security will rarely accept the response of an insider stating: "We can't because it's worth keeping secret." With the 10 agencies in the Equities Review Board including both the Department of Commerce and Department of Homeland Security, one could assume it is their responsibility to keep the private sector in mind. This does little to ease the mind of the security advocate, as these are positions appointed by the executive branch.
I believe the government should include a private sector review board of select industry representatives and cybersecurity experts who can hold a security clearance. These board members could review the outcomes of the VEP process on a monthly or quarterly basis. I believe that security advocates would be more willing to accept the response "We can't because it's worth keeping secret" if they hear it from a widely accepted industry expert as well as from the government.